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Abstract — We determine the capacity region of the secure 
multiplex coding with a common message, and evaluate the 
mutual information and the equivocation rate of a collection 
of secret messages to the second receiver (eavesdropper), which 
were not evaluated by Yamamoto et al. 

Index Terms — broadcast channel with confidential messages, 
information theoretic security, multiuser information theory 

I. Introduction 

The information theoretic security attracts much attention 
recently ifTTI . because it offers security that does not depend on 
a conjectured difficulty of some computational problem. One 
of most fundamental problems in the information theoretic 
security is coding for the wiretap channel considered by 
Wyner [14]. Later it was generalized to the broadcast channel 
with confidential messages (hereafter abbreviated as BCC) by 
Csiszar and Korner ||4l, in which there is a single sender called 
Alice and two receivers called Bob and Eve. In the formulation 
in [4], Alice has a common messages destined for both Bob 
and Eve and a private message destined solely for Bob. The 
word "confidential" means that Alice wants to prevent Eve 
from knowing much about the private message. The wiretap 
channel corresponds to BCC without the common message. 
The coding in these situations has two goals, namely error 
correction and secrecy. 

The secrecy is realized by including random bits statistically 
independent of the secret message into the transmitted signal 
by Alice so that the secret message becomes ambiguous to 
Eve. The inclusion of random bits, of course, decreases the 
information rate. In order to get rid of the decrease in the 
information rate, Yamamoto et al. [8J proposed the secure 
multiplex coding, in which there is no loss of information rate. 
The idea of Yamamoto et al. is as follows. Suppose that Alice 
has T statistically independent messages S \, . . . , S t- Then Si, 
Si-i, Si+i, St serve as the random bits making 5, 
ambiguous to Eve, for each /. However, there are three rooms 
for improvement in Yamamoto et al. |8| as follows: (1) Let Z 
be Eve's received signal. Yamamoto et al. JS) proved that the 
mutual information 7(5 ,;Z) can be made arbitrary small for 
each /, but they did not evaluate 7(5 j;Z), where Sj denotes 
the collection of secret messages (5, : / € J). (2) They did not 
evaluate the equivocation rate when the information rates of 
secret messages are large. (3) Their coding scheme |8| cannot 
support a common message to both Bob and Eve as done by 
Csiszar and Korner |4|. 



In this paper, we shall present a coding scheme for the 
secure multiplex coding that uses the privacy amplification 
technique and that can support a common message to both Bob 
and Eve. We evaluate the mutual information for collections 
of secret messages (Si : i e I) for all 9^ J c {1, . . . , T]. We 
also clarify the convergence speed of the mutual information 
to the infinity when the information rates of secret messages 
are large. The coding scheme in this paper is similar to the 
privacy amplification based scheme with the strong secrecy 
for BCC 1 12 1, but it differs in the following: Let 7^ be a 
random variable of bijection from Si, . . . , St to themselves. 
In order to apply the privacy amplification theorem to 5 1 , . . . , 
S T simultaneously, the correspondence between F(S i, . . ., St) 
and Si has to be the two-universal hashing |[3| for each / = 1, 
. . . , T. We shall also present how to construct such F. 

This paper is organized as follows: Section |ll] reviews 
relevant research results used in this paper Section |lll] intro- 
duces the strengthened version of the privacy amplification 
theorem, then defines and proves the capacity region of the 
secure multiplex coding with a common message, by using 
the strengthened privacy amplification theorem. Section |IV] 
presents constructions of the bijection F described in the 
previous paragraph. Section [V] concludes the paper 

II. Preliminary 
A. Broadcast channels with confidential messages 

Let Alice, Bob, and Eve be as defined in Section U X 
denotes the channel input alphabet and J/ (resp. Z) denotes 
the channel output alphabet to Bob (resp. Eve). We assume 
that X, J/, and Z. are finite unless otherwise stated. We shall 
discuss the continuous channel briefly in Remark [T3] We 
denote the conditional probability of the channel to Bob (resp. 
Eve) by Py\x (resp. Pz\x)- The set S„ denotes that of the 
private message and £„ does that of the common message 
when the block coding of length n is used. We shall define 
the achievability of a rate triple (Ri, Rg, Rq). For the notational 
convenience, we fix the base of logarithm, including one used 
in entropy and mutual information, to the base of natural 
logarithm. The privacy amplification theorem introduced in 
Theorem |5] is sensitive to choice of the base of logarithm. 

Definition 1: The rate triple (Ri, Rg, Rq) is said to be 
achievable if there exists a sequence of Alice's stochastic 
encoder /„ from Sn x £„ to X", Bob's deterministic decoder 
(fin ■ J/" — > S„x&„ and Eve's deterministic decoder i/^,, : X" 
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where S„ and E„ represents the secret and the common 
message, respectively, have the uniform distribution on S„ 
and &„, respectively, and Y" and Z" are the received signal 
by Bob and Eve, respectively, with the transmitted signal 
f„{S„,E„) and the channel transition probabilities Py\x, Pz\x- 
The capacity region of the BCC is the closure of the achievable 
rate triples. 

Theorem 2: fA\ The capacity region for the BCC is given 
by the set of Rq, R\ and R^ such that there exists a Markov 
chain f/ -> V -» X FZ and 

Ri+Ri) < I{y;Y\U) + mm[I{U;Y),I{U;Z)], 
R() < min[/(f/;F),/(t/;Z)], 
Re < I{y;Y\U)-I{V\Z\U), 
Re < Ri- 

As described in ifTTl . U can be regarded as the common 
message, V the combination of the common and the private 
messages, and X the transmitted signal. 

B. Broadcast channels with degraded message sets 

If we set Re - in the BCC, the secrecy requirement is 
removed from BCC, and the coding problem is equivalent to 
the broadcast channel with degraded message sets (abbreviated 
as BCD) considered by Korner and Marton |9|. 

Corollary 3: The capacity region of the BCD is given by 
the set of Rq and R'^ such that there exists a Markov chain 
t/ -» y = X ^ FZ and 



Ro 

Ro + R\ 



< mm[IiU-Y),IiU;Z)], 

< I(V;Y\U) + mm[I(U;Y),I(U;Z)]. 



then '7^ is said to be a family of two-universal hash functions. 

III. Secure multiplex coding with a common message 
A. Strengthened privacy amplification theorem 

In order to analyze the equivocation rate, we need to 
strengthen the privacy amplification theorem originally ap- 
peared in Q, la. 

Theorem 5: (Extension of 16J) Let L be a random variable 
with a finite alphabet £, and Z any random variable. Let T be 
a family of two-universal hash functions from £. to M, and 
F be a random variable on T statistically independent of L. 
Then 

Ey exp(p/(F(L); Z\F = /)) < 1 + \MmPL\z{L\ZY] (1) 

for < p < L If Z is not discrete RV, I{F{L);Z\F) is defined 
to be H(F(L)\F) - 'E,H{F{L)\F,Z = z). 

In addition to the above assumptions, when L is uniformly 
distributed, we have 



\MmPL\z(L\Zf] 



\MmPL\z{L\ZYPL{L)- 



(2) 



In addition to all of the above assumptions, when Z is a 
discrete random variable, we have 

\MmPL\z{L\Z)PPdL)-P] 



\M\P -5—1 

-^Yj^L({)Pz\L{z\e)'^PPz{z)- 



(3) 

Proof. See |fT3l Appendix]. ■ 
Remark 6: It was assumed that Z was discrete in ifTSll . 

However, when the alphabet of L is finite, there is no difficulty 

to extend the original result. 

As in |6 1 we introduce the following two functions. 
Definition 7: 

^ip,Pz\L,PL) = log^^PL(^)^Z|L(z|^)'^^^z(z)"^ (4) 

z t 

\1-P 



(I>(P,Pz\l,Pl) = log^ 



Y,PLii)iPz\L{z\0 



l/(l-p) 



V t 



(5) 



One of several typical proofs for the direct part of BCD is as 
follows 12|: Given Puv, Ro, R'l, we randomly choose exp(n/?o) 
codewords of length n according to P"^, and for each created 
codeword u", randomly choose exp(nR'^) codewords of length 
n according to P'y^jj(-\u"). Over the constructed ensemble of 
codebooks, we calculate the average decoding probability 
by the joint typical decoding, or the maximum likelihood 
decoding, etc. 

C. Two-universal hash functions 

We shall use a family of two-universal hash functions Q 
for the privacy amplification theorem introduced later. 

Definition 4: Let be a set of functions from .Si to S2, 
and F the not necessarily uniform random variable on 'F. If 
for any xi JC2 e .Si we have 

Pr[F(xi) = F(X2)] < 

l'S2l 



Observe that (f> is essentially Gallager's function Eq f5\. 

Proposition 8: Q, |[6l exp{(p(p,Pz\L,PL)) is concave with 
respect to Pl with fixed < p < 1 and Pz\l- For fixed < p < 
1, Pl and Pz\l we have 

exp(iA(p, Pz\L, Pl)) < exp(0(p, Pzil, Pl))- (6) 
B. Capacity region of the secure multiplex coding 

Definition 9: The rate tuple (Rq, Ri, Rt) and the 
equivocation rate tuple {Re,i I 9^ I £ {1, T}] are 
said to be achievable for the secure multiplex coding with T 
secret messages if there exists a sequence of Alice's stochastic 
encoder /,, from .Si_„x- • ■xST,nX&n to X", Bob's deterministic 
decoder (p„ : J/" — > .Si,„x- • ■x.Sr„x£„ and Eve's deterministic 
decoder 4r„ : — > S„ such that 

limPr[(5i,„,...,5r,,„£„)^V„(n or 

E„ + iA„(Z")] = 0, 
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liminf T,n\Z")/n > R,j, 
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log \Si„\ 
liminf — > Rj, 

«->oo n 

liminf > /?(), 
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for i - 1, r, where Si„ and £„ represent the /-th secret 
and the common message, respectively, and £„ have the 
uniform distribution on .S,,„ and £„, respectively, 5j,„ is the 
collection of random variables S i,„ with / e J, and F" and 
Z" are the received signal by Bob and Eve, respectively, with 
the transmitted signal f„{S i^„, Sr.n, En) and the channel 
transition probabilities Py\x, Pz\x- The capacity region of the 
secure multiplex coding is the closure of the achievable rate 
tuples. 

Theorem 10: The capacity region for the secure multiplex 
coding with a common message is given by the set of Rq, Ri, 
Rt and {R^j | J c {1, . . . , r)} such that there exists 
a Markov chain U ^ V ^ X ^ YZ and 

R() < min[/(t/;y),/(t/;Z)], 



Ri < I{V; Y\U) + min[/(f/; Y), I{U\ Z)] 



^0 

T 


< 
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!=0 




ReJ 


< 


Re,I 


< 



Vr.. 
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Proof. The converse part of this coding theorem follows from 
that for Theorem |2] We have to show the direct part. 

Let <S,-,„ be the message set of the /-th secret message, and 
Si,n - (Si,,, : / e I). Let the RV B„ on S„ denote the 
private message to Bob without secrecy requirement, E„ on 
&„ the common message to both Bob and Eve. Without loss 
of generality we may assume that S„ - Y\J=\ ■Si,n, where the 
set St+i is the alphabet of randomness used by the stochastic 
encoder, and n denotes the code length. (S i „, . . . , Stm, Sr+un) 
is assumed to be uniformly distributed, which implies the 
statistical independence of (5i,„, ST+\,n)- In Section 

ITVl we shall prove the existence of a set ;F„ of bijective maps 
from Sn to itself such that if F„ is the uniform random variable 
on T'n then aj o F„ is a family of two-universal hash functions 
from Sn to 5, ,, for all J c {1, . . . , T}, where aj is the 
projection from S„ to WieiSi^n- 

Let A be an RV indicating selection of codebook in the 
random ensemble constructed in the way reviewed in Section 
IlLBl U" = A(£„) on and V" = A(B„,E„) on "V" 
codewords for the BCD taking the random selection A taking 
into account, and Z" Eve's received signal. 

The structure of the transmitter and the receiver is as 
follows: Fix a bijective function /„ e f„ and Alice and Bob 
agree on the choice of /„. Given T secret messages si „, 
ST,n, choose sr+i,„ uniformly randomly from St+i, treat 
b„ - /~'(si,nj sr,n, ■sr+i./i) as the private message to Bob, 
encode b„ along with the common message e„ by an encoder 
for the BCD, and get a codeword v". Apply the artificial noise 



to v" according to the conditional probability distribution P"^^y 
and get the transmitted signal x". Bob decodes the received 
signal and get b„, then apply /„ to b„ to get (ii,„, . . . , ir,n)- This 
construction requires Alice and Bob to agree on the choice of 
/„. We shall show that there exists at least one /„ that meets 
the requirements of secure multiplex coding. 

Define B,', = /^,7'('S i,,,, Sjji, Sj+i,,,)- We want to apply 
the privacy amplification theorem to I{ai{F„{B'„));Z"\F„) for 
an arbitrary fixed % + I Q[\, T}. To use the theorem we 
must ensure independence of F„ and B,',. Since the conditional 
distribution of B,', is always uniform regardless of the realiza- 
tion of F„, we can see that F„ and B', are independent. It 
also follows that B^ is uniformly distributed over S„. Denote 
BJ, by B„. The remaining task is to find an upper bound on 
liaiiF „{B„));Z"\F „, h). Since the decoding error probability 
of the above scheme is not greater than that of the code for 
BCD, we do not have to analyze the decoding error probability. 

Firstly, we consider Ey;, exp{pI{aj{F„{B„)); Z"\Fn - f„, K- 
A)) with fixed selection A of A. In the following analysis, we 
do not make any assumption on the probability distribution of 
En except that S\^n, . . . , ST+\,n, En, F„ and A are statistically 
independent. 

By the almost same argument as (12] with use of Eq. ([T]|, 
we can see 

E^, exp(pI(aiiF„iBn)y,Z"\F„ = /,„ A = A)) 

< Ey;, exp(pI{aj((Fn(Bn));Z",En\F„ = /„, A = A)) 

(Giving the common message E„ does not increase / much.) 
= Ef„ exp(pY^PE,Xe)Iiai(Fn(B„));Z"\Fn = f„,E„ = e, A = A)) 

e 

< Ey„ ^ PE„{e)sxp(pI(ai(Fn(B„)y,Z"\Fn = f„,E„ = e, A = A)) 

e 

^ expinpRp) ^ 

Pz-\E„=e.A=A{z)-' (by Eqs. ([1}©) 
= 1 H- ^ PeSs) exp(np(Rj - Rp) + ip(p, Pz"\v,Pv\e„=c,k=a)) 

e 

(by 112 and Eq. Q), 

< 1 + ^ PE„{e) exp(np(Ri - Rp) + (f>(p, Pz'\V',Pv'\E„=e,K=A)) 

e 

(by Eq. ©) 



where 



Ri = 



Rp = 



Z;eJ log \Si,n\ 

log|S„1 



(7) 
(8) 



We shall average the above upper bound over A. By the 
almost same argument as lfT2ll . we can see 

exp(pE^„, Yj PE,Xe)I(ajiFniB„)); Z"\Fn = /„, A = A, En = e)) 

e 

(9) 
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< E exp(p Yj Pe„ {e)I{ai{F„{Bn))\ Z"| 

e 

F„ = f„,A = A,E„ = e)) 



= 1 + 



exp(p(«j - Rp)) 



^ Pu(u) exp(cf>{p, Pz\v, Pv\u=u)) 



(10) 



Taking the logarithm of Eqs. (|9]l and ( fTOl l we can see 

/(ffr(F„(B„));Z",£„|F„,A)) 
= /(a7(F„(B„));Z"|F„,A,£„)) 
1 



< -iog{i + [exp(p(/;j-7;^)) 
p 



1 

< - 

p 



\ue%t 



]"! 



^ Pf/(M) exp(<^(p, f z|v, Pv\u=u)) 

^ Pt/(M) exp(0(p, Pz|v, Pv\u=u)) 



\ueu 



We shall consider the limit of the above upper bound. Taking 
the logarithm of the upper bound (fTTI) we have 

- logp + np 

X Rj-Rp + ^ ^^^"-^ exp(</.(p, Pz|v, ^'i/|f/=H))) 



We can see that (*) —> I(V;Z\U) as p — » by applying the 
I'Hopital's rule to (*). 
Set the size of S„ as 

log \S„\ 
^' ' ^Rn^ I(V; Y\U) - 6 
n 

with 6 > such that 

Ri-Re,i>Ri-Rp + I{V;Z\U) (12) 

for all J c {1, . . . , r}. Then by Eq. (dB, we can see that 
there exists e„ — > Q(n oo) such that 

I(Si-Z"\F„,A)<e„ (13) 

if Rj - Rej. On the other hand, when Ri > Rej, by Eq. (fTOl l. 
we have 

E^„,exp(p/(57;Z"|F„ = /„, A = A)) 
< 1 + exp(np(7;j - Rp + /(V; Z|f/) + e(p))), (14) 

where e(p) — » 0(p — > 0). Let 6„ be the decoding error 
probability of the underling channel code for BCD. Then, by 
the almost same argument as ifTsl . there exists at least one 
pair of (f„,A) such that 

I(Sr,Z"\F„,A) < 2 ■ 2^e„ (if Rj = R^j), 
exp(pI(S i-Z"\F„ =/„,A = A)) < 2-2^[l + exp(np(R j - R p+ 

I(V;Z\U) + e(p)))l (15) 
decoding error probability < 2 ■ 2^(5„. 



By Eq. (flSl l we can see 

/(5j;Z"|F„^/„,A^^) ^ 1 + log(2 ■ 2^) 
n ^ np 



+ RT-Rn 



+ I(V;Z\U) + €(p). (16) 

for 7?/ - + /(y;Z|t/) + e(p) > 0, where we used log(l + 
exp(jic)) < 1 + X for x > 0. By Eqs. ( fT2b and ( fTSI ) we can see 
that the equivocation rate H(Sj\Z", F„ = /„, A = /l)/n becomes 
larger than the required value for sufficiently large n. This 
completes the analysis of the equivocation rates and the mutual 
information for all J c {1, . . . , T). ■ 

Remark 11: Our proof does not require the common mes- 
sage En to be decoded by Bob. Our technique can provide an 
upper bound on the mutual information of Si to Eve even 
when E„ is a private message to Eve. 

Remark 12: The (negative) exponential decreasing rate of 
the mutual information in our argument is 



(11) p(Ri-Rp) + log 



2 Puvziu, V, z)Pz\v(z\v)PPziu(z\u)''' 



(17) 



when Rej - Rj. Minimizing the above expression over 
< p < 1, and f/ ^ y ^ Z ^ yz such that 
Rq < mm{I(U;Y), I(U;Z)} and Rp < I(V;Y\U) gives the 
smallest negative exponent. From the form of the mathematical 
expression, increase in Rp decreases the mutual information 
and increases the decoding error probability of the secret mes- 
sage to Bob. This suggests that the optimal mutual information 
and the optimal decoding error probability cannot be realized 
simultaneously. We note that the exponent (fTTb is the same as 
one given by Yamamoto et al. |8| when there is no common 
message. 

Remark 13: We can easily carry over our proof to the case 
of the channel being Gaussian, because 

. we can extend Eq. (O to the Gaussian case just by 
replacing the probability mass functions Pz\l and Pz by 
their probability density functions. 

. the random codebook A obeys the multidimensional 
Gaussian distribution, 

. the concavity of (p is retained when its second argument 
is conditional probability density, 

. and the all mathematical manipulations in this section 
remains valid when U, V, Z, A are continuous and their 
probability mass functions are replaced with probability 
density functions, while B„, E„, F„ remain to be discrete 
RVs on finite alphabets. 

IV. Random permutations whose projections give 

TWO-UNIVERSAL HASH FUNCTIONS 

Let Si, . . . , St+1 be finite sets and S - Y\J=i <Si- In Section 
Unl we needed a set ;F of bijective maps from S to itself 
such that the uniform random variable F on gives two- 
universal hash functions from S to Si by aj o F, where aj 
is the projection from S to Yliei'^i- In this section we shall 
present two such sets with increasing order of implementation 
efficiency. 
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Proposition 14: Suppose that T is the set of all permuta- 
tions on S, then aj o F forms a family of two-universal hash 
functions for all J c {1, . . . , r 4- 1}. 
Proof. Let xi X2 e S. We have \T\ On the other hand, 

the number of permutations F such that aj{F(xi)) = aj(F(x2)) 
is given by 



|S|x(-l + []|>S,|)x(|S|-2)! 



id 



because the number of choices of F(xi) is \!B\, the number of 
choices of F{x2) given the choice of F(xi) is (-1 -H Y\i<ti I'^il), 
and the number of choices for values of rest of elements under 
F is (|S|-2)!. Therefore, 



Pr[ai(F(xi)) = ai(F(x2))] = 



1 



which completes the proof. ■ 
The above construction can be used with any set S, but 

implementation of random permutations is costly. When Si is 

a linear space over a finite field F^, we have a more efficient 

implementation. 

Lemma 15: Let X be a subgroup of the group of all 

bijective linear maps on S. For x e S, the orbit 0(x) of x 

under the action of X is defined by 

0(f) = {Lf I L e £]. 

The family of functions {aj o L | L e X} is a family of two- 
universal hash functions if and only if 



\0{^\ 



n<el\Si\ 



for allveS\ {0} 
Proof. We have 



\{Lej:\L(A-x2)e{0]xUi(iSi)\ 

|{L 6 £ I L(f 1 - f2) e i0] X Uiii Si)]) \ {6]\ 

\{Le£\ L(xi - X2) e - X2)}\ 
\0{xi-^2)r^i{Q]xUiiiSi)])\ 

- f2)l 

Renaming xi - X2 to v proves the lemma. ■ 
Proposition 16: If X. is the set of all bijective linear maps 
on S, then {ccj o L | L e X) is a family of two-universal hash 
functions. 

Proof. For a nonzero i' e S, we have 0{v) = S \ {0), which 
implies 



\0(^\^\S\-l, 



io(i/)n({d)xrf5,)))i = — 1^ 



Si\ 



- 1. 



By Lemma [15] we can see that the proposition is true. 



V. Conclusion 

We have presented a coding scheme for the secure multiplex 
coding proposed by Yamamoto et al. |8|. Our coding scheme 
has two features: (1) evaluation of the mutual information be- 
tween Eve's received signal and a collection of multiple secret 
messages, including the convergence speed to the infinity when 
the information rates of secret messages are large, and (2) 
support for a common message to both Bob and Eve. 

We note that we can make the proposed encoder and 
decoder universal by replacing the channel code with the 
constant composition code used by Korner and Sgarro ifTOl 
as done in |i7J. 
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